CVE Database

9241+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2025-43932
9.8 CRITICAL

JobCenter through 7e7b0b2 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP …

Jul 7, 2025
CVE-2025-43931
9.8 CRITICAL

flask-boilerplate through a170e7c allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP …

Jul 7, 2025
CVE-2025-6811
9.8 CRITICAL

Mescius ActiveReports.NET TypeResolutionService Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Mescius …

Jul 7, 2025
CVE-2025-6810
9.8 CRITICAL

Mescius ActiveReports.NET ReadValue Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Mescius …

Jul 7, 2025
CVE-2025-6805
9.1 CRITICAL

Marvell QConvergeConsole deleteEventLogFile Directory Traversal Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files on affected installations of Marvell QConvergeConsole. Authentication …

Jul 7, 2025
CVE-2025-6802
9.8 CRITICAL

Marvell QConvergeConsole getFileFromURL Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole. …

Jul 7, 2025
CVE-2025-6798
9.1 CRITICAL

Marvell QConvergeConsole deleteAppFile Directory Traversal Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files on affected installations of Marvell QConvergeConsole. Authentication …

Jul 7, 2025
CVE-2025-6794
9.8 CRITICAL

Marvell QConvergeConsole saveAsText Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole. Authentication …

Jul 7, 2025
CVE-2025-6793
9.4 CRITICAL

Marvell QConvergeConsole QLogicDownloadImpl Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability. This vulnerability allows remote attackers to delete arbitrary files and disclose sensitive information …

Jul 7, 2025
CVE-2025-43930
9.8 CRITICAL

Hashview 0.8.1 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header.

Jul 7, 2025
CVE-2025-3626
9.1 CRITICAL

A remote attacker with administrator account can gain full control of the device due to improper neutralization of special elements used in an OS Command …

Jul 7, 2025
CVE-2025-41672
10.0 CRITICAL

A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected devices.

Jul 7, 2025
CVE-2025-48501
9.8 CRITICAL

An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4. If this vulnerability is exploited, an arbitrary OS commands may be …

Jul 7, 2025
CVE-2025-26850
9.3 CRITICAL

The agent in Quest KACE Systems Management Appliance (SMA) before 14.0.97 and 14.1.x before 14.1.19 potentially allows privilege escalation on managed systems.

Jul 5, 2025
CVE-2025-48952
9.4 CRITICAL

NetAlertX is a network, presence scanner, and alert framework. Prior to version 25.6.7, a vulnerability in the authentication logic allows users to bypass password verification …

Jul 4, 2025
CVE-2025-53484
9.8 CRITICAL

User-controlled inputs are improperly escaped in: * VotePage.php (poll option input) * ResultPage::getPagesTab() and getErrorsTab() (user-controllable page names) This allows attackers to inject JavaScript and …

Jul 4, 2025
CVE-2025-52833
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS lms allows SQL Injection.This issue affects LMS: from n/a …

Jul 4, 2025
CVE-2025-52832
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpo-HR NGG Smart Image Search ngg-smart-image-search allows SQL Injection.This issue affects …

Jul 4, 2025
CVE-2025-52831
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in thanhtungtnt Video List Manager video-list-manager allows SQL Injection.This issue affects Video …

Jul 4, 2025
CVE-2025-52830
9.3 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bSecure – Your Universal Checkout bSecure – Your Universal Checkout bsecure …

Jul 4, 2025
CVE-2025-49867
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes realhomes allows Privilege Escalation.This issue affects RealHomes: from n/a through <= 4.4.0.

Jul 4, 2025
CVE-2025-49417
9.8 CRITICAL

Deserialization of Untrusted Data vulnerability in BestWpDeveloper WooCommerce Product Multi-Action Woo-product-multiaction allows Object Injection.This issue affects WooCommerce Product Multi-Action: from n/a through <= 1.3.

Jul 4, 2025
CVE-2025-49414
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Gallery fw-gallery allows Using Malicious Files.This issue affects FW Gallery: from n/a through …

Jul 4, 2025
CVE-2025-49302
10.0 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson Easy Stripe easy-stripe allows Remote Code Inclusion.This issue affects Easy Stripe: from n/a …

Jul 4, 2025
CVE-2025-30933
10.0 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes LogisticsHub logistics-hub allows Upload a Web Shell to a Web Server.This issue affects LogisticsHub: from …

Jul 4, 2025
CVE-2025-28983
9.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect allows Privilege Escalation. This issue affects …

Jul 4, 2025
CVE-2025-23970
9.8 CRITICAL

Incorrect Privilege Assignment vulnerability in aonetheme Service Finder Booking sf-booking allows Privilege Escalation.This issue affects Service Finder Booking: from n/a through <= 6.1.

Jul 4, 2025
CVE-2025-28951
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image bulk-featured-image allows Upload a Web Shell to a Web Server.This issue affects …

Jul 4, 2025
CVE-2025-53599
9.8 CRITICAL

Whale browser for iOS before 3.9.1.4206 allow an attacker to execute malicious scripts in the browser via a crafted javascript scheme.

Jul 4, 2025
CVE-2025-23968
9.1 CRITICAL

Unrestricted Upload of File with Dangerous Type vulnerability in WebFactory AiBud WP aibuddy-openai-chatgpt allows Upload a Web Shell to a Web Server.This issue affects AiBud …

Jul 3, 2025
CVE-2025-45813
9.8 CRITICAL

ENENSYS IPGuard v2 2.10.0 was discovered to contain hardcoded credentials.

Jul 2, 2025
CVE-2025-45814
9.8 CRITICAL

Missing authentication checks in the query.fcgi endpoint of NS3000 v8.1.1.125110 , v7.2.8.124852 , and v7.x and NS2000 v7.02.08 allows attackers to execute a session hijacking …

Jul 2, 2025
CVE-2025-20309
10.0 CRITICAL

A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote …

Jul 2, 2025
CVE-2025-53006
9.8 CRITICAL

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, in both PostgreSQL and Redshift, apart from parameters like "socketfactory" …

Jul 2, 2025
CVE-2025-34071
9.8 CRITICAL

A remote code execution vulnerability in GFI Kerio Control 9.4.5 allows attackers with administrative access to upload and execute arbitrary code through the firmware upgrade …

Jul 2, 2025
CVE-2025-34070
9.8 CRITICAL

A missing authentication vulnerability in the GFIAgent component of GFI Kerio Control 9.4.5 allows unauthenticated remote attackers to perform privileged operations. The GFIAgent service, responsible …

Jul 2, 2025
CVE-2025-34069
9.8 CRITICAL

An authentication bypass vulnerability exists in GFI Kerio Control 9.4.5 due to insecure default proxy configuration and weak access control in the GFIAgent service. The …

Jul 2, 2025
CVE-2024-13786
9.8 CRITICAL

The education theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.10 via deserialization of untrusted input in …

Jul 2, 2025
CVE-2025-5746
9.8 CRITICAL

The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation …

Jul 2, 2025
CVE-2025-4689
9.8 CRITICAL

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in …

Jul 2, 2025
CVE-2025-52101
9.8 CRITICAL

linjiashop <=0.9 is vulnerable to Incorrect Access Control. When using the default-generated JWT authentication, attackers can bypass the authentication and retrieve the encrypted "password" and …

Jul 1, 2025
CVE-2025-45006
9.1 CRITICAL

Improper mstatus.SUM bit retention (non-zero) in Open-Source RISC-V Processor commit f517abb violates privileged spec constraints, enabling potential physical memory access attacks.

Jul 1, 2025
CVE-2025-53104
9.1 CRITICAL

gluestack-ui is a library of copy-pasteable components & patterns crafted with Tailwind CSS (NativeWind). Prior to commit e6b4271, a command injection vulnerability was discovered in …

Jul 1, 2025
CVE-2025-37099
9.8 CRITICAL

A remote code execution vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646.

Jul 1, 2025
CVE-2025-49029
9.1 CRITICAL

Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.kazi Custom Login And Signup Widget custom-login-and-signup-widget allows Code Injection.This issue affects Custom Login And …

Jul 1, 2025
CVE-2025-45872
9.8 CRITICAL

zrlog v3.1.5 was discovered to contain a Server-Side Request Forgery (SSRF) via the downloadUrl parameter.

Jul 1, 2025
CVE-2025-41656
10.0 CRITICAL

An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured …

Jul 1, 2025
CVE-2025-41648
9.8 CRITICAL

An unauthenticated remote attacker can bypass the login to the web application of the affected devices making it possible to access and change all available …

Jul 1, 2025
CVE-2025-6934
9.8 CRITICAL

The Opal Estate Pro – Property Management and Submission plugin for WordPress, used by the FullHouse - Real Estate Responsive WordPress Theme, is vulnerable to …

Jul 1, 2025
CVE-2025-53095
9.6 CRITICAL

Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) …

Jul 1, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.